Comment 36 for bug 1779863

On Tue, Aug 07, 2018 at 03:59:27AM -0000, Nicolas Noble wrote:
> So one another solution I'd then see would be for you to bite the
> bullet, and stop calling your runtime "nodejs", because, well, it's not
> really nodejs.

Sure. This falls under correctly "declaring binary compatibility" in my
analysis.

When it comes to this kind of thing, we rely on a single arbitrator to
define how to do this exactly so that all distributions, as well as
binaries built directly from upstream sources, correctly interact and
agree on what constitutes compatibility. Upstream works best to act as
the arbitrator since you're unilaterally in a position to define what
constitutes binary compatibility. Downstreams can't really do that. I
suggest, then, that you define exactly how to do this correctly, and
incorporate this mechanism into your build system (or at least
officially document it) so that all distributions do it the right way.

For example: it's not really "node-debian-v57" either; it's
"node-openssl1.1-v57". Ubuntu, Debian and all other distributions that
might release with nodejs linked to OpenSSL 1.1 would all share binary
compatibility, AIUI, so it would be overkill to force them to lose
binary compatibility between each other just because this compatibility
is ill defined. The build system should correctly arrange for the report
to be correct based on how it was built. If this were to happen, all
distributions would simply use it, and you'd get your "declare your
binary compatibility correctly" wish granted by default.

> But your obstination on releasing a nodejs runtime that's not really
> nodejs while 100% masquerading as the official nodejs will eventually
> force us to discourage our users to use your runtime, because there's
> nothing we could do to handle the subtle bugs you're introducing on us.

I suspect what will happen here is that we'll end up rebuilding nodejs
against 1.0 in 18.04. But this won't solve the problem for next time.

From your wording I don't think you've understood the distribution
ecosystem and why what you are doing and your expectations are a problem
for distributions to be able to meet in the general case. Distribution
users *expect* package dependencies to be de-duplicated, and to receive
security support for those dependencies from a single source. This is
the reason that "apt-get install ..." Just Works. You rely on this too:
for everything on your system that works without you caring for them
specifically.

Let's try not split our users into two factions, and instead figure out
how to solve this problem well for everyone. But I think to begin to do
that you first need to understand why distributions work the way they
do. I'm happy to spend more time with you on this. Please feel free to
ping me on IRC for a more interactive explanation of this, or to arrange
some other medium.